API Reference > Endpoints > Payment Method

Payment Method

This endpoint is used to inform Ravelin of payment methods being saved or used by a customer account.

The data that you use to populate the payment method varies between payment service providers (PSP) after tokenization. If your PSP is unable to provide you with a suitable instrument ID you should allow Ravelin to generate instrument IDs on your behalf by submitting either full PANs, or client-side encrypted cards. For more information, please refer to our PCI DSS documentation.

Ravelin does not accept submission of the CVV, PIN or magnetic stripe data to any of our API endpoints.

To request a recommendation at this endpoint use the Payment Method Registration checkpoint.

POST api.ravelin.com/v2/paymentmethod

timestamp integer required

The time at which this data payload was valid. When sending events in realtime, this will usually be 'now'. This is used to merge data that arrives out-of-order.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

eventType string optional

An eventType should identify what event in your system triggered this API call.

Pattern: ^[a-zA-Z0-9][a-zA-Z0-9-_]*$

customerId string optional

The unique identifier of the customer. If your system allows anonymous checkout then we recommend making this the customer's email address.

tempCustomerId string optional

A temporary ID for a customer when the real account ID has yet to be minted. This must eventually be sent in conjunction with a real customer ID to migrate the data into the full customer account.

paymentMethod object optional

The payment method being registered by the customer.

One of the following:

card: A credit or debit card.

Show definition

methodType string required

Vault card payment method indicator.

One of: card, creditcard, or debitcard.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

scheme string optional

The card network or scheme, such as visa or mastercard. Ravelin will identify the scheme on your behalf if you send the cardBin, which should be preferred.

instrumentId string important

A unique identifier for the physical card, shared between customers. Used to link cards in Connect. Must not be a hash of the PAN.

If you use multiple PSPs who each generate their own equivalent of an instrumentId, you should consider prefixing their values to indicate their origin to avoid collisions. Common examples include Stripe's fingerprint, or Braintree's unique_number_identifier).

pan string pci, optional

The full Primary Account Number of the card. Used by Ravelin to generate the instrumentId for this card. If specified, you do not need to provide instrumentId, cardBin or cardLastFour.

Only PCI DSS SAQ-D certified merchants should submit the PAN to Ravelin. You must not send requests containing this field to api.ravelin.com, and must instead use pci.ravelin.com.

Please see our PCI DSS documentation for more information.

cardBin string important

The first six or eight digits of the card number/PAN. The Bank Identification Number (BIN), recently more commonly known as the Issuer Identification Number (IIN).

Given the BIN, Ravelin will populate the issuer, country of issuance, and card type on your behalf.

cardLastFour string important

The last four digits of the card number/PAN. Please note this will be truncated to the last two digits when an eight digit BIN is provided.

issuer string optional

The card issuer, who the true cardholder will report fraud to. Ravelin will identify the issuer on your behalf if you send the cardBin, which should be preferred.

prepaidCard boolean optional

Whether this is a prepaid debit card. Ravelin will identify whether the card is prepaid on your behalf if you send the cardBin which should be preferred.

countryIssued string optional

The country that the card was issued in. Ravelin will identify the country of issuance on your behalf if you send the cardBin, which should be preferred.

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

expiryMonth integer important

The expiry month of the card.

expiryYear integer important

The expiry year of the card.

eWallet string optional

deprecated

The e-Wallet to which the customer associated the card.

One of: applepay, googlepay, samsungpay, amazonpay, or visacheckout.

nameOnCard string important

The cardholder name.

billingAddress object important

The address of the registered cardholder, as used to pass AVS checks. It is common to have fewer location details for this address, but provide what you have.

Show definition

corporateCard boolean optional

Whether this payment method is a corporate card.

virtualCard boolean optional

Whether this payment method is a virtual card.

successfulRegistration boolean optional

Whether the card was successfully registered with your gateway/PSP.

registrationTime integer important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer optional

The time at which the payment method was last verified by the customer. An example mechanism would be a random amount charged to the customer's card that they can confirm the amount of.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

compromised boolean optional

Whether the card has been compromised.

compromisedReason string important

The reason why the card is considered compromised.

One of: cloned, databreach, found, lost, stolen, frozen, defrosted, or uncompromised.

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

active boolean optional

deprecated

Whether this card is still saved to the customer's account.

banned boolean optional

deprecated

Whether this card has been banned.

nickName string optional

deprecated

The nickname the customer has given the payment method.

cardType string optional

deprecated

The card network or scheme, such as visa or mastercard. Ravelin will identify the cardType on your behalf if you send the cardBin, which should be preferred.

paymentMethodCipher: An encrypted payment method, containing the full card details encrypted via a Ravelin SDK.

Show definition

methodType string required

Client-side encrypted card payment method indicator.

Only: paymentMethodCipher.

cardCiphertext string required, pci

The card ciphertext produced by the Ravelin SDK card encryption.

This field constitutes cardholder data, and submission of this field therefore requires PCI DSS SAQ-A or SAQ-AEP certification. You must not send requests containing this field to api.ravelin.com, and must instead use pci.ravelin.com.

Please see our PCI DSS documentation for more information.

aesKeyCiphertext string required

The AES Key ciphertext produced by the Ravelin SDK card encryption.

algorithm string required

The algorithm used to generate the ciphertexts.

paymentMethodId string optional

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

ravelinSDKVersion string optional

The version of the Ravelin SDK that performed this encryption.

keyIndex integer optional

The index of the public RSA key used to encrypt the card.

keySignature string optional

An identifier for the public key used during encryption.

billingAddress object optional

Show definition

registrationTime integer optional

When the payment method was added to the customer's account. Note: this is not the card start date.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

ravelinjsVersion string optional

deprecated

The version of the ravelinjs library that performed this encryption.

cash: The customer is paying in cash, or a cash-based payment method.

Show definition

bankaccount: Bank Accounts.

Show definition

methodType string required

Bank account indicator.

Only: bankaccount.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

transferType string required

The type of transfer: whether the customer is initiating the payment, or you are withdrawing funds from the customer's bank account based on an agreement to initiate payments on their behalf. Use "push" for a customer-initiated payment (e.g. a bank transfer) and "pull" for a merchant-initiated payment (e.g. Direct Debit).

One of: push, or pull.

scheme string important

The name of the payment scheme or instrument used for the transfer of funds.

iban string optional

IBAN (International Bank Account Number) Following the ISO 13616:2007 standard.

countryIssued string optional

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

accountAddress object optional

Show definition

accountOwnerName string optional

The name of the account owner.

bankCode string optional

Code assigned by central bank to identify bank that account is associated with. Multiple bank code formats are supported.

bankName string optional

Name of bank which account belongs to.

bic string optional

BIC - business identifier code for banks and other institutions. Following the ISO9362 standard.

accountNumber string optional

The account number issued by the bank.

nickName string optional

The nickname for the payment method that the customers gives, if applicable.

registrationTime integer important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

paypal: PayPal payments.

Show definition

methodType string required

PayPal indicator.

Only: paypal.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

payerId string optional

PayPal payer ID.

email string important

Account email address.

billingAddress object optional

The address of the account holder. It is common to have fewer location details for this address, but provide what you have.

Show definition

registrationTime integer important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer optional

The time at which the payment method was last verified by the customer. An example mechanism would be a random amount charged to the customer's card that they can confirm the amount of.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

nickName string optional

The nickname for the payment method that the customer gives, if applicable.

countryIssued string optional

The two-character ISO 3166-1 account country_code sent by PayPal.

verifiedAccount boolean optional

The customer’s PayPal account status. Indicates whether the account is verified or not.

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

banned boolean optional

deprecated

If the payment method has been banned

active boolean optional

deprecated

Whether the payment method is active for use by this account

credit: This payment method type should be used for any payments made using credit that a customer has with the merchant.

Show definition

invoice: This payment method should be used whenever the merchant provides credit to the customer.

Show definition

methodType string required

Invoice payment indicator.

Only: invoice.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

scheme string important

The name of the invoice or 'buy now, pay later' scheme used, if applicable.

registrationTime integer optional

When the payment method was added to the customer's account.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer optional

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

accountOwnerName string optional

The nickname for the payment method that the customers gives, if applicable.

accountAddress object optional

Show definition

email string optional

The email address used by the customer to register an invoice or 'buy now, pay later' payment method.

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

wallet: A digital wallet payment method.

Show definition

methodType string required

Vault card payment method indicator.

Only: wallet.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

scheme string required

The name of the digital wallet scheme or electronic payment service.

cardScheme string optional

The card network or scheme of the card used within a wallet payment method, such as visa or mastercard. Ravelin will identify the cardScheme on your behalf if you send the cardBin, which should be preferred.

instrumentId string important

A unique identifier for the physical card, shared between customers. Used to link cards in Connect. Must not be a hash of the PAN.

pan string pci, optional

The full Primary Account Number of the card. Used by Ravelin to generate the instrumentId for this card. If specified, you do not need to provide instrumentId, cardBin or cardLastFour.

Only PCI DSS SAQ-D certified merchants should submit the PAN to Ravelin. You must not send requests containing this field to api.ravelin.com, and must instead use pci.ravelin.com.

Please see our PCI DSS documentation for more information.

cardBin string important

The first six digits of the card number/PAN. The Bank Identification Number (BIN), recently more commonly known as the Issuer Identification Number (IIN).

Given the BIN, Ravelin will populate the issuer, country of issuance, and card type on your behalf.

cardLastFour string important

The last four digits of the card number/PAN.

cardType string optional

deprecated

The card network or scheme, such as visa or mastercard. Ravelin will identify the cardType on your behalf if you send the cardBin, which should be preferred.

issuer string optional

The card issuer, who the true cardholder will report fraud to. Ravelin will identify the issuer on your behalf if you send the cardBin, which should be preferred.

prepaidCard boolean optional

Whether this is a prepaid debit card. Ravelin will identify whether the card is prepaid on your behalf if you send the cardBin which should be preferred.

countryIssued string optional

The country that the card was issued in. Ravelin will identify the country of issuance on your behalf if you send the cardBin, which should be preferred.

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

expiryMonth integer important

The expiry month of the card.

expiryYear integer important

The expiry year of the card.

nameOnCard string important

The cardholder name.

billingAddress object important

The address of the registered cardholder, as used to pass AVS checks. It is common to have fewer location details for this address, but provide what you have.

Show definition

successfulRegistration boolean optional

Whether the card was successfully registered with your gateway/PSP.

registrationTime integer important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer optional

The time at which the payment method was last verified by the customer. An example mechanism would be a random amount charged to the customer's card that they can confirm the amount of.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

active boolean optional

deprecated

Whether this card is still saved to the customer's account.

banned boolean optional

deprecated

Whether this card has been banned.

nickName string optional

deprecated

The nickname the customer has given the payment method.

fromTransaction: Refer to the payment method used by a named transaction. For usage examples, see Saving payment methods after checkout and Associating refunds with payment methods.

Show definition

~~directdebit: Direct Debits.~~ - deprecated.

Show definition

methodType string required

Direct Debit indicator.

Only: directdebit.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

transferType string required

Bank transfer type

Only: directdebit.

scheme string required

The type of direct debit scheme.

One of: autogiro, bacs, becs, becsnz, betalingsservice, or sepa.

iban string optional

IBAN (International Bank Account Number) Following the ISO 13616:2007 standard.

countryIssued string optional

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

accountAddress object optional

Show definition

accountOwnerName string optional

The name of the account owner.

bankCode string optional

Code assigned by central bank to identify bank that account is associated with. Multiple bank code formats are supported.

bankName string optional

Name of bank which account belongs to.

bic string optional

BIC - business identifier code for banks and other institutions. Following the ISO9362 standard.

accountNumber string optional

The account number issued by the bank.

mandateRef string optional

The unique reference issued for the direct debit mandate.

mandateURL string optional

A URL to access the direct debit mandate agreement.

nickName string optional

The nickname for the payment method that the customers gives, if applicable.

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

~~banktransfer: Bank Transfers.~~ - deprecated.

Show definition

methodType string required

Bank transfer indicator.

Only: banktransfer.

paymentMethodId string required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

transferType string required

Bank transfer type

One of: bancontact, eps, giropay, ideal, inghomepay, sofort, or sepa.

iban string optional

IBAN (International Bank Account Number) Following the ISO 13616:2007 standard.

countryIssued string optional

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

accountAddress object optional

Show definition

accountOwnerName string optional

The name of the account owner.

bankCode string optional

Code assigned by central bank to identify bank that account is associated with. Multiple bank code formats are supported.

bankName string optional

Name of bank which account belongs to.

bic string optional

BIC - business identifier code for banks and other institutions. Following the ISO9362 standard.

accountNumber string optional

The account number issued by the bank.

nickName string optional

The nickname for the payment method that the customers gives, if applicable.

registrationTime integer important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

~~Others~~ - deprecated.

Show definition

Removal: Used for marking a saved payment method as removed from the account.

Show definition

device object optional

The device used by the customer to trigger this update.

Show definition

deviceId string required

The ID of the device used by the customer to trigger this update.

ipAddress string important

The IP address of the device connecting to your services. Used in fraud and account-takeover detection.

When extracting this IP address, consider X-Forwarded-For.

language string optional

The ISO 639 code of your customer's device's preferred language, or the IET Language Tag (BCP 47) values from the browser's Accept-Language header.

userAgent string important

The browser user-agent string, if the device represents a web browser - window.navigator.userAgent.

model string important

The model/identifier name of the device if the device represents a native app. See here for iOS models: https://www.theiphonewiki.com/wiki/Models and here for Google Play supported models: http://storage.googleapis.com/play_public/supported_devices.csv.

os string important

The operating system that the device is running.

type string optional

The type of device.

One of: computer, phone, or tablet.

manufacturer string optional

The maker of the device.

location object optional

The geolocated position of the device.

Show definition

custom object optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

browser string optional

deprecated

The name of the web browser being used, if applicable. Prefer userAgent.

javascriptEnabled boolean optional

deprecated

Whether Javascript is enabled on the web browser.

cookiesEnabled boolean optional

deprecated

Whether cookies are enabled on the web browser.

screenResolution string optional

deprecated

The resolution of the screen on the device in the format XxY

deviceId string optional

The ID of the device used by the customer to trigger this update.

POST https://api.ravelin.com/v2/paymentmethod HTTP/1.1
Authorization: token ...
Content-Type: application/json

{
  "timestamp": 1512828988826,
  "customerId": "abc-123-ZYZ",
  "tempCustomerId": "abc-123-XYZ",
  "paymentMethod": {
    "methodType": "card",
    "paymentMethodId": "pm-abc123",
    "scheme": "visa",
    "instrumentId": "fp_abc123",
    "cardBin": "535522",
    "cardLastFour": "0001",
    "expiryMonth": 7,
    "expiryYear": 2020,
    "eWallet": "applepay",
    "nameOnCard": "John Smith",
    "billingAddress": {
      "country": "GBR",
      "postalCode": "E1 1AA",
      "latitude": 51.503252,
      "longitude": -0.127899,
      "addresseeName": "John Smith",
      "street1": "123 fake st.",
      "street2": "floor 4, flat 48",
      "neighbourhood": "Hackney",
      "zone": "1",
      "city": "London",
      "region": "California",
      "poBoxNumber": "1234"
    },
    "corporateCard": true,
    "virtualCard": true,
    "successfulRegistration": true,
    "registrationTime": 1512828988826,
    "lastVerified": 1512828988826,
    "compromised": true,
    "compromisedReason": "stolen"
  },
  "device": {
    "deviceId": "65fc5ac0-2ba3-4a3b-aa5e-f5a77b845260",
    "ipAddress": "81.152.92.84",
    "language": "en-US",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
    "model": "Pixel XL",
    "os": "android",
    "type": "phone",
    "manufacturer": "google",
    "location": {
      "country": "GBR",
      "postalCode": "E1 1AA",
      "latitude": 51.503252,
      "longitude": -0.127899,
      "addresseeName": "John Smith",
      "street1": "123 fake st.",
      "street2": "floor 4, flat 48",
      "neighbourhood": "Hackney",
      "zone": "1",
      "city": "London",
      "region": "California",
      "poBoxNumber": "1234"
    }
  }
}

Response

status integer

The HTTP response status code.

timestamp integer

A unix timestamp indicating when we finished handling the request.

message string

If an error has occurred, a description of the error.

data object

Contains our recommendations and related details.

Show definition

action string

Our recommended action.

Use this to determine how you should handle the order.

See source for the reason for this recommendation.

One of: ALLOW, REVIEW, or PREVENT.

source string

The reason for our recommended action.

Do not implement any logic based upon this field as we may add new values in the future without warning.

Options:

CHARGEBACK - The action was based the customer having at least one unforgiven dispute.
LOOKUP - The action was based on finding the customer in our Lookup fraud database.
MANUAL_REVIEW - The action was based on a manual review.
NETWORK - The action was based on how the customer was connected in our Connect graph network.
RATE_LIMIT - This request was rate-limited. The action was based on the default action for rate-limited requests.
RAVELIN - The action was based on the payment fraud score and your thresholds. See score.
RULE - The action was based on a rule.

score integer

The fraud score produced by the machine learning model. A value between 0 and 100. The higher the number the more fraudulently the model scored the customer.

This may not be the source of the final recommendation, see source.

customerId string

The ID of the customer to which this recommendation applies.

scoreId string

A unique ID for this score.

transactionOptimisation object

If transaction optimisation is enabled, and a transaction optimisation recommendation was requested, this will contain the recommendation and related details.

Show definition

warnings array

Warnings when the data you are sending may negatively impact fraud detection.

Show definition

cachedScore boolean

In order to provide resiliency, on the rare occasion that Ravelin isn’t able to calculate a fraud score, a cached score is used to determine the action. If a cached score was used, this field will be true.

effectiveTime string

Response Version 1

Specifies the time the score was originally calculated. Uses the format 2020-01-01T00:00:00.00000000Z.

comment string

Response Version 1

If the customer was manually reviewed, the comment left by the reviewer.

rules object

Response Version 2

Contains details about the rules which were triggered by this customer.

Show definition

connect object

Response Version 2

Contains details about the network the customer is connected to.

Show definition

lookup object

Response Version 2

Contains details about the Lookup results for the customer.

Show definition

market object

Response Version 2

Contains details about the market for the customer.

Show definition

thresholds object

Response Version 2

Contains details about the machine learning fraud score thresholds.

Show definition

orderId string

Response Version 3

The ID of the order used to calculate the recommendation, typically the customer's latest order.

transactionId string

Response Version 3

The ID of the transaction used to calculate the recommendation, typically the customer's latest transaction.

{
  "status": 200,
  "timestamp": 1512828988826,
  "data": {
    "action": "ALLOW",
    "score": 12,
    "source": "RAVELIN",
    "customerId": "abc-123-ZYZ",
    "scoreId": "2bf39d-d1299-31",
    "transactionOptimisation": {
      "transactionId": "123-abc-XYZ",
      "action": "AUTHENTICATE",
      "exemption": "TRANSACTION_RISK_ANALYSIS",
      "threeDSChallengePreference": "NO_CHALLENGE_REQUESTED",
      "actionSource": "CLIENT_RULE",
      "rules": {
        "triggered": [
          {
            "ruleId": 1,
            "ruleVersion": 1,
            "action": "AUTHENTICATE",
            "exemption": "TRANSACTION_RISK_ANALYSIS",
            "threeDSChallengePreference": "NO_CHALLENGE_REQUESTED",
            "triggered": true,
            "state": "active"
          }
        ]
      }
    },
    "warnings": [
      {
        "class": "customer-not-found",
        "help": "https://developer.ravelin.com/api/warnings/#customer-not-found",
        "msg": "Customer \"abc-123-ZYZ\" not found."
      }
    ]
  }
}

Feedback

Was this page helpful?